Content data reproduction system and recording device

ABSTRACT

To exclude any unauthorized device from a system and thereby prevent illegal use of content data, a memory card  10  stores a service key Ksrv for encrypting content key data Kc in a hidden area  14.  The memory card  10  stores answer data A C  to be obtained when question data Q is fed to a host function F possessed by an authorized host device  20,  with encryption applied to the answer data A C  by the service key Ksrv. When the question data Q is provided to the host device  20,  answer data A H  is obtained based on the question data Q and the host function F. A comparison unit  122  judges match or mismatch of the answer data A H  and the answer data A C . When they match, the memory card  10  decrypts the content key data Kc encrypted by the service key Ksrv and sends it to the host device  20.

TECHNICAL FIELD

The present invention relates to a content data reproduction systemcapable of reproducing content data while eliminating unauthorized useof the content data, and a recording device used therefor.

BACKGROUND ART

With the recent development of the information society, a content datareproduction system is widely used that delivers to a user terminalcontent data such as electronic books, newspapers, music, and motionpictures and the like and allows the content data to be available.

Since the electronized content data (hereinafter referred to simply as“content data”) is easily duplicatable, illegal activities disregardingcopyright may easily occur. From a point of view of protecting contentdata from such illegal activities, the content data is usually encryptedwith an encryption key and is recorded, while it is decrypted when it isreproduced. Content Protection for Prerecorded Media (CPRM) is one ofsuch content data protection technologies. Another proposed technique isa double-key encryption technique which encrypts a content key doubly bytwo keys (see e.g., Patent Document 1). A double-key encryptiontechnique of this type is used in, for example, MQbic®. Of theencryption keys, a key unique to a recording medium, for example, amedium-unique key is securely stored in a hidden area of the recordingmedium and made completely inaccessible from outside. Hence, forexample, if a committer of illegal copying illegally copies onlyencrypted content key data, he or she cannot use the content data unlesshe or she has the medium-unique key.

However, if the medium-unique key is somehow read out illegally andgiven away to a host manufacturer who has not got a formal license, itis likely that the content data will be used illegally with anunauthorized device that is manufactured based on the leakedinformation.

CONVENTIONAL ART DOCUMENT Patent Document

Patent Document 1: JP2005-341156A

DISCLOSURE OF INVENTION Problem to be Solved by the Invention

An object of the present invention is to provide a content datareproduction system and a recording device capable of preventing illegaluse of content data by excluding any unauthorized device from thesystem.

Means for Solving the Problem

A content data reproduction system according to one aspect of thepresent invention includes: a host device configured to use contentdata; and a recording device configured to decrypt encrypted contentdata to allow the content data to be used in the host device, theencrypted content data being content data encrypted by content key data.The recording device includes: a storage unit configured to store aservice key for encrypting the content key data, encrypted content keydata which is the content key data encrypted by the service key, andencrypted output data which is first output data encrypted by theservice key, the first output data being obtained when input data iscalculated by using a host function possessed by an authorized hostdevice; a comparison unit configured to provide the input data to thehost device, receive from the host device second output data obtained bythe host device based on the input data and the host function, andcompare the second output data with the first output data; and a dataprocessing unit configured to decrypt the encrypted content key data byusing the service key to obtain the content key data, when thecomparison unit detects that the first output data and the second outputdata match each other. The storage unit is configured to store theservice key in a hidden area inaccessible by the host device. The hostdevice includes a first conversion unit configured to obtain the secondoutput data based on the input data and the host function.

A recording device according to one aspect of the present invention isprovided in cooperation with a host device, and configured to be capableof decrypting encrypted content data to allow content data to be used inthe host device, the encrypted content data being content data encryptedby content key data, the recording device including: a storage unitconfigured to store a service key for encrypting the content key datafor encrypting the content data, encrypted content key data which is thecontent key data encrypted by the service key, input data to be fed to ahost function possessed by an authorized host device, and encryptedoutput data which is first output data encrypted by the service key, thefirst output data being obtained when the input data is fed to the hostfunction; a comparison unit configured to provide the input data to thehost device, receive second output data obtained by the host devicebased on the input data and the host function, and compare the secondoutput data with the first output data; and a decryption processing unitconfigured to decrypt the encrypted content key data by using theservice key to obtain the content key data, when the comparison unitdetects that the first output data and the second output data match eachother. The storage unit is configured to store the service key in ahidden area inaccessible by the host device.

EFFECT OF THE INVENTION

According to the present invention, it is possible to provide a contentdata reproduction system and a recording device capable of excluding anyunauthorized device from the system, thereby preventing illegal use ofcontent data.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram showing an entire structure of a content datareproduction system according to a first embodiment of the presentinvention.

FIG. 2 explains a process for a host device 20 to acquire content keydata Kc according to the first embodiment, and the operation of eachunit in the process.

FIG. 3 is a block diagram showing an entire structure of a content datareproduction system according to a second embodiment of the presentinvention.

FIG. 4 explains a process for a host device 20 to acquire content keydata Kc according to the second embodiment, and the operation of eachunit in the process.

FIG. 5 is a concept diagram explaining an outline of an authenticationprocess in a content data reproduction system according to a thirdembodiment of the present invention.

FIG. 6 shows an example structure of MKB (Media Key Block) used in thecontent data reproduction system according to the third embodiment ofthe present invention.

FIG. 7 shows the operation of each unit when a common authenticationprocess is executed in the content data reproduction system according tothe third embodiment of the present invention.

FIG. 8 shows an example structure of MKB (Media Key Block) used in thecontent data reproduction system according to the third embodiment ofthe present invention.

FIG. 9 shows the operation of each unit when different authenticationprocesses are executed for different hosts in the content datareproduction system according to the third embodiment of the presentinvention.

BEST MODE FOR CARRYING OUT THE INVENTION

Next, the embodiments of the present invention will be explained indetail with reference to the drawings.

First Embodiment

FIG. 1 is a block diagram showing the entire structure of a content datareproduction system according to a first embodiment of the presentinvention. The system includes a memory card (a recording device) 10which securely stores content key data for encrypting content data,etc., and a host device 20 which reproduces content data by, incooperation with the memory card 10, obtaining the content key dataafter an authentication process described later. The host device 20 iscapable of exchanging data with a content server 30 and a key database40 through a network 50.

The memory card 10 and the host device are connected through a securechannel 60 and capable of securely exchanging data in accordance withAKE (Authentication and Key Exchange).

The memory card 10 includes an interface unit 11, a dataprocessing/communication control unit 12, a system area 13, a hiddenarea 14, a user data area 15, and a service key processing unit 16.

The interface unit 11 is a unit in charge of controlling input/output ofvarious data to be exchanged with the host device 20 through the securechannel 60.

The data processing/communication control unit 12 is a unit in charge ofvarious data processes described later (data separation,comparison/judgment, data conversion, encryption/decryption), andcontrol on sending/receiving of the processed data. The dataprocessing/communication control unit 12 includes a data separation unit121, a comparison unit 122, an encryption/decryption unit 123, a thirdconversion unit 124, and a sending/receiving control unit 125. As willbe described later, the data separation unit 121 has a function ofseparating linked data composed of mutually-relevant linked pieces ofdata.

The comparison unit 122 is a unit which, as will be described later,compares answer data A_(C) possessed by the memory card 10 with answerdata A_(H) calculated by the host device 20 and judges match or mismatchof these pieces of answer data. The encryption/decryption unit 123 has afunction of encrypting plain-text data provided thereto and decryptingencrypted data provided thereto. The third conversion unit 124 applies aone-way function or the like to data provided thereto to convert thedata into irreversible data. The sending/receiving control unit 125 is aunit in charge of encryption using a session key Ks generated based onAKE (Authentication and Key Exchange), and data exchange with the hostdevice 20.

The system area 13 is an area accessible from the outside of therecording device 10, and stores a storage medium key Ksm to be used whenobtaining a service key Ksrv described later, an authentication keyKauth to be used for an authentication process with the host, etc.

The hidden area 14 is an area writable only by a content server 30 whichhas passed a predetermined authentication process, and otherwisecompletely inaccessible from the outside. According to the presentembodiment, a service key Ksrv used for protecting content key data Kcis stored in the hidden area 14 to be invisible from the outside. Theservice key Ksrv is written therein by a memory card maker when thememory card 20 is manufactured, or written therein aftermanufacture/shipping by a key distribution server by using anauthentication process using the storage medium key Ksm described above,a PKI authentication process, or the like. The method of writing theservice key Ksrv is not limited to a specific one.

The user data area 15 is an area freely writable/readable from theoutside of the recording medium 30. According to the present embodiment,the user data area 15 stores encrypted content data Enc(Kc:C), i.e.,content data C encrypted by the content key data Kc, and in addition,encrypted content key data Enc(Ksrv:Kc), i.e., the content key data Kcencrypted by the service key Ksrv. Moreover, the user data area 15stores question data Q (input data) to be input into a host function Fpossessed by an authorized host device 20, and encrypted answer dataEnc(Ksrv:Ac), i.e., answer data Ac (first output data) which is to beobtained when the question data Q is input into the host function F andwhich is encrypted by the service key Ksrv. For association purposes,these encrypted content key data Enc (Ksrv:Kc), question data Q, andencrypted answer data Enc (Ksrv:Ac) are stored as linked data Enc (Ksrv:Kc||Ac)||Q obtained by linking these pieces of data together. (Here, Enc(A:B||C) represents that linked pieces of data B and C are encoded withthe use of a single piece of key data A. The sign “||” represents thatthe pieces of data shown on the left and right-hand sides thereof areconcatenated.)

For preventing illegal copy, data called MKB (Media Key Block) is usedand stored in the user data area 15. The MKB is a medium key encryptedby an aggregate of device keys (Kd) set in respective host devices assecret keys. The medium key is a base key for encrypting content data.The MKB also includes information about unauthorized devices so that theunauthorized devices cannot acquire the medium key. Note that theencrypted content data Enc (Kc:C) needs not be stored in the user dataarea 15 but may be stored in the host device 20.

The service key processing unit 16 has a function of writing a servicekey Ksrv in the hidden area 14 through a certain process, when itreceives the service key Ksrv distributed from the content server 30.The service key Ksrv is used only in the memory card 10, and never givenaway to the outside once written from the content server 30.

The host device 20 has an application program 20A. The host device 20forms, in the application program 20A, an interface unit 21, a dataprocessing/communication control unit 22, and a data storage area 23.The interface unit 21 is a unit in charge of controlling input/output ofvarious data to be exchanged with the memory card 10 through the securechannel 60.

The data processing/communication control unit 22 is a unit in charge ofvarious data processes described later (data separation and dataconversion) and control on sending/receiving of the processed data. Thedata processing/communication control unit 22 includes a datacombining/separation unit 221, a first conversion unit 222, anencryption/decryption unit 223, and a sending/receiving control unit225. The data processing/communication control unit 22 also includes anMKB processing unit 22A in charge of processing MKB (Media Key Block).

As will be described later, the data combining/separation unit 221 has afunction of combining (linking) mutually relevant pieces of data andseparating linked data received.

The first conversion unit 222 has a function of inputting question dataQ provided thereto into a host function F to convert it into answer dataA_(H). The encryption/decryption unit 223 has a function of encryptingplain-text data provided thereto and decrypting encrypted data providedthereto. The sending/receiving control unit 225 is a unit in charge ofencrypting the data by using a session key Ks generated by AKE(Authentication and Key Exchange) or the like, and exchanging data withthe memory card 10.

The data storage area 23 stores a host function executing program forexecuting the host function F described in detail later, content keydata Kc acquired, and the like. The host function executing programstored in the data storage area 23 may be a self-contained program.Alternatively, some part of its functions may be provided from a DynamicLink Library (DLL) execution unit 24 in the form of a DLL, as shown inFIG. 1. The DLL execution unit 24 loads the DLL, thereby causing the DLLto operate integrally with the program stored in the data storage area23. That is, they function as a single piece of software as a whole.

As can be understood from the above, an authorized host device 20possesses a host function executing program for executing the hostfunction F, while the memory card 10 possesses question data Q as datato be input into the host function F which an authorized host device 20is supposed to possess, and answer data A_(C) as data to be output as aresult. The host device 20 inputs question data Q provided by the memorycard 10 into the host function F to obtain answer data A_(H), andreturns the answer data A_(H) to the memory card 10. The memory card 10compares the received answer data A_(H) with the answer data A_(C)possessed in itself. When both the pieces of data match each other, thememory card 10 decrypts the content key data Kc encrypted by the servicekey Ksrv and sends the decrypted content key data Kc to the host device20.

On the other hand, an unauthorized host device does not possess such ahost function F, and hence even when provided with the question data Q,cannot obtain answer data, and hence the content key data Kc, either.Therefore, according to the present embodiment, it is possible toexclude use of any unauthorized device. The host function F is providedin an authorized host device in the form of a program to be executed.Unlike ordinary data, the host function F is difficult to be deplicatedin an easy way, and used without authority. The host function executingprogram becomes even harder to be deplicated when it is formed by usingan add-on DLL as in the example described above.

Furthermore, for preventing illegal copy, data called MKB (Media KeyBlock) is used. The MKB is a medium key encrypted by an aggregate ofdevice keys (Kd) set in respective host devices as secret keys. Themedium key is a base key for encrypting content data. The MKB alsoincludes information about unauthorized devices so that the unauthorizeddevices cannot acquire the medium key.

Next, a process for the host device 20 to acquire the content key dataKc according to the present embodiment, and the operations of therespective units in this process will be explained with reference toFIG. 2.

When the host device 20 gives a request for reproduction of certaincontent data C, the memory card 10 sends linked dataEnc(Ksrv:Kc||A_(C))||Q that includes the content key data Kccorresponding to that content data C to the requesting host device 20through the data processing/communication control unit 12 and the securechannel 60 (not illustrated in FIG. 2).

The data combining/separation unit 221 of the host device 20 separatesthe question data Q from the encrypted data Enc (Ksrv:Kc||A_(C)). Theseparated question data Q is input to the first conversion unit 222, andanswer data A_(H) is generated based on the host function F.

The data combining/separation unit 221 combines the answer data A_(H)and the encrypted data Enc (Ksrv:Kc||A_(C)). The resulting compositedata Enc (Ksrv:Kc||A_(C))||A_(H) is encrypted by theencryption/decryption unit 223 with the use of the session key Ks, andsent to the memory card 10. In the memory card 10, theencryption/decryption unit 123 decrypts this encrypted data by using thesession key Ks. The data separation unit 121 separates the decryptedcomposite data Enc (Ksrv:Kc||A_(C))||A_(H) and thereby obtains theencrypted data Enc (Ksrv:Kc||A_(C)) and the answer data A_(H). Theencryption/decryption unit 123 decrypts the encrypted data Enc(Ksrv:Kc||A_(C)) by using the service key Ksrv, and thereby obtains thecontent key data Kc and the answer data A_(C).

The comparison unit 122 compares the obtained answer data A_(C) andanswer data A_(H). When both the pieces of data match each other, thecomparison unit 122 outputs a match signal to the sending/receivingcontrol unit 125. On receiving the match signal, the sending/receivingcontrol unit 125 instructs the encryption/decryption unit 123 to encryptthe decrypted content key data Kc by using the session key Ks, and sendsthe encrypted content key data Kc to the host device 20. The host device20 decrypts the content key data Kc by using the session key Ks. A dataprocessing unit 226 stores the content key data Kc in a certain storageunit, and thereby this process is finished.

As can be understood from the above, by possessing the host functionexecuting program capable of executing a calculation based on the hostfunction F, the host device 20 can obtain answer data A_(H) based on theprovided question data Q, and then the content key data Kc based on thisanswer data A_(H). Replication of such data as behaving like a programis difficult because it requires a program analysis. By introducing ascheme for executing such a program, it is possible to excludeunauthorized devices effectively.

Second Embodiment

Next, a content data reproduction system according to a secondembodiment of the present invention will be explained with reference toFIG. 3 and FIG. 4. The entire structure of the system is substantiallythe same as shown in FIG. 1, and the same components are denoted by thesame reference numerals. Therefore, a detailed explanation about themwill not be provided.

The difference from the first embodiment is that there is provided asecond conversion unit 224. The second conversion unit inputs, togetherwith the session key Ks, the answer data A_(H) output by the firstconversion unit 222 into a one-way function and thereby obtainsconverted data AES-G(A_(H), Ks).

Likewise, the third conversion unit 124 of the memory card 10 isconfigured to execute an operation of inputting the answer data A_(C)and the session key Ks into a one-way function to obtain converted dataAES-G (A_(C), Ks). Then, these pieces of converted data are compared bythe comparison unit 122. In this way, match or mismatch of the answerdata A_(C) and the answer data A_(H) is judged. The second embodiment isthe same as the first embodiment in any other points.

Third Embodiment

Next, a content data reproduction system according to a third embodimentof the present invention will be explained with reference to FIG. 5 toFIG. 9. The entire structure of the system according to the presentembodiment is substantially the same as shown in FIG. 1, and a detailedexplanation will not be provided.

In the system according to the present embodiment, among a plurality ofhost devices 20-1, 20-2, . . . and 20-n, a specific host device 20-m canuse an input and an output which can be calculated only by a hostfunction provided in that host device, while the other host devices 20-i(i≠m) can use an input and an output which can be calculated by all ofthe host devices. In this way, different host devices may be providedwith different input and output to be used in an authentication process.This may inspect on one by one basis installation of a host function ina host device. This process also may achieve secure exclusion of aspecific unauthorized device. Specifically, as shown in FIG. 5, aspecific host device 20-m is provides with question data Q#m and answerdata A#m. The question data Q#m and answer data A#m may satisfy arelationship of A#m=F#m (Q#m) only in a host function F#m that issupposed to be held in the specific host device 20-m. The question dataQ#m is provided to the host device 20-m to let the host device 20-mreturn answer data. Because the host device 20-m must possess thespecific host function F#m, the authentication process for the hostdevice 20-m becomes stricter than that for the other host devices.

On the other hand, question data Q#* is provided to the other hostdevices 20-i (i≠m). The question data Q#* allows any host function F#*to result in the same answer data A#* (A#*=F (Q#*)). In other words, thequestion data Q#* provides the same answer data A#* whichever hostfunction F it is input into. Hence, it is possible to ease theauthentication process for the other host devices 20-i compared to thatfor the specific host device 20-m (i.e., the host device 20-i inquestion needs only to possess some host function whatsoever, and thekind of the function is overlooked). Hence, it is possible to switch thescheme and strictness of the authentication process from host device tohost device.

For switching the host-function-F-based authentication process, thepresent system has such an MKB structure as shown in FIG. 6.

First, the MKB includes a host node number storage section 71 whichstores host node numbers (Node#1, Node#2, . . . , and Node#n) of thehost devices 20.

The MKB also includes, in the form of data, a common medium key Km usedfor the plurality of host devices 20-1 to 20-n in common. The commonmedium key Km is encrypted by device keys Kd#1, Kd#2, . . . , and Kd#nunique to the respective host devices, and stored in an encrypted commonmedium key storage section 72 as encrypted common medium keys Enc (Kd#m,Km) (m=1 to n).

The MKB also includes, in the form of data, individual medium keys Km-1,Km-2, . . . , and Km-n unique to the host devices respectively. Theindividual medium keys Km-1, Km-2, and . . . , Km-n are stored in anindividual medium key storage section 73.

(A) Case 1

A case when this MKB structure is prepared such that the same input andoutput to be fed to and returned from the host function are used for allof the host devices 20-1, 20-2, . . . , and 20-n will now be explainedwith reference to FIG. 7. In this case, the content key data Kc and theanswer data A_(C) are encrypted and stored in the user data area 15 inaccordance with the following process.

(1) The content key data Kc is encrypted by the common medium key Km togenerate encrypted content key data Enc (Km:Kc).

(2) The encrypted content key data Enc (Km:Kc) is linked with answerdata A#* and question data Q#*, and then the resulting linked data isencrypted by the service key Ksrv to obtain encrypted dataEnc(Ksrv:Enc(Km:Kc)||A#*||Q#*). This data is further encrypted by thecommon medium key Km and stored in the user data area 15.

The MKB having this data structure is stored in the user data area 15 ofthe memory card 10. When the host device 20-m accesses the memory card10 under this condition to request distribution of the content key dataKc, the memory card 10 provides this MKB to the MKB processing unit 22Aof the host device 20-m. The MKB processing unit 22A decrypts the commonmedium key Km in the storage section 72 by using its own device keyKd#m, and then by using this common medium key Km, decrypts theencrypted data Enc(Km:Enc(Ksrv:Enc(Km:Kc)||A#*||Q#*) in the user dataarea 15 to obtain the data Enc (Ksrv:Enc (Km:Kc)||A#*||Q#*.

The data separation unit 221 separates the question data Q#* andprovides it to the first conversion unit 222, which then obtains answerdata A_(H). Any other operations are the same as in the embodimentdescribed above.

(B) Case 2

An operation of a case when the question used for a specific host device20-m is different from the question used for any other host devices willbe explained with reference to FIG. 8 and FIG. 9. In this case,encrypted data Enc(Ksrv:Enc(Km:Kc)||A#*||Q#*) is generated for the otherhost devices 20-i (i≠m), while encrypted dataEnc(Ksrv:Enc(Km-m:Kc)||A#m||Q#m) is generated for the specific hostdevice 20-m. Furthermore, the encrypted common medium key dataEnc(Kd#m:Km) stored in the encrypted common medium key storage section72 is rewritten to encrypted individual medium key data Enc(Kd#m:Km-m).

An operation of a case when the specific host device 20-m requestsdistribution of the content key data Kc when such an MKB is preparedwill be explained with reference to FIG. 9. In this case, the MKBprocessing unit 22A obtains the individual medium key Km-m by using itsown device key Kd#m and thereby decrypts the dataEnc(Km-m:Enc(Ksrv:Enc(Km-m:Kc)||A#m||Q#m) to obtain the encrypted dataEnc(Ksrv:Enc(Km-m:Kc)||A#m||Q#m, and separates the question data Q#m andprovides it to the first conversion unit 222. This question data Q#mresults in answer data A#m being output only when it is input into aspecific host function F#m, and results indifferent answer data beingoutput when input into other host functions F#. Accordingly, in the hostdevice 20-m, the function of the host device 20-m is inspected byquestion data and answer data different from those for the other hostdevices 20-i (i≠m).

Though the embodiments of the invention having been described, thepresent invention is not limited to them, but various modifications,additions, etc. can be made thereonto without departing from the scopeof the spirit of the invention.

DESCRIPTION OF REFERENCE NUMERALS

10 memory card

11 interface unit

12 data processing/communication control unit

13 system area

14 hidden area

15 user data area

16 service key processing unit

20 host device

21 interface unit

22 data processing/communication control unit

22A MKB processing unit

23 data storage unit

24 DLL execution unit

30 content server

40 key database

50 network

71 host node number storage section

72 encrypted common medium key storage section

73 individual medium key storage section

121 data separation unit

122 comparison unit

123 encryption/decryption unit

124 third conversion unit

125 sending/receiving control unit

221 data separation unit

222 first conversion unit

223 encryption/decryption unit

224 second conversion unit

225 sending/receiving control unit

226 data processing unit

1.-5. (canceled)
 6. A medium comprising first key information (Ksm) andunique authentication information, the medium comprising a storing unitthat stores encrypted secret key data, the encrypted secret key databeing generated by encrypting secret key data using unique keyinformation, the unique key information being obtained by a processusing the first key information.
 7. A device comprising a first area asa hidden area, a second area and a third area, wherein a session keyshared between the device and a host may be generated by authenticationand key exchange (AKE), and wherein data transmission and reception maybe performed between the device and the host after encryption using thesession key.
 8. A host configured to generate a session key byauthentication and key exchange (AKE) using information stored in afirst area as a hidden area, a second area and a third area, the sessionkey being shared between the host and an external device, wherein in acommunication between the host and the external device using the sessionkey, one way function or the like is applied thereto, and data convertedin an irreversible manner is used for authentication.
 9. A content datareproduction system comprising a host, the host being configured togenerate a session key by authentication and key exchange (AKE) usinginformation stored in a first area as a hidden area, a second area and athird area, the session key being shared between the host and anexternal device, wherein in a communication between the host and theexternal device using the session key, one way function or the like isapplied thereto, and data converted in an irreversible manner is usedfor authentication, the host further includes a first conversion unitthat receives the session key data obtained by an authentication processbetween the host and the external device, and first output data toobtain first conversion data, and the external device further comprisesa second conversion unit that receives the session key data and secondoutput data to obtain second conversion data, and a comparison unit thatcompares the first conversion data and the second conversion data tojudge a match between the first output data and the second output data.10. The content data reproduction system according to claim 9, whereinthe host is configured to perform an executing program for executingcalculation by a host function possessed by the host.
 11. The contentdata reproduction system according to claim 9, wherein a part of theexecuting program is provided in form of a dynamic link library.